search

spender-sandbox / cuckoo-modified

Modified edition of cuckoo
392 stars 178 forks source link

Cuckoo stopped logging network and creating pcap #487

Closed DigiAngel closed 6 years ago

DigiAngel commented 6 years ago

Topic says it :( My cuckoo box no longer is creating pcaps and seeing the network traffic in the network tab, but I see in the Behavior tab the network activity like an http download with a 200 response and dropped file. Here's my log...anything obvious I can check? Thank you.

2017-05-09 15:16:10,015 [root] INFO: Date set to: 05-09-17, time set to: 21:16:10
2017-05-09 15:16:10,015 [root] DEBUG: Starting analyzer from: C:\krcfc
2017-05-09 15:16:10,015 [root] DEBUG: Storing results at: C:\EQmBZlaE
2017-05-09 15:16:10,015 [root] DEBUG: Pipe server name: \\.\PIPE\cPHNnCtlNg
2017-05-09 15:16:10,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2017-05-09 15:16:10,015 [root] INFO: Automatically selected analysis package "doc"
2017-05-09 15:16:10,296 [root] DEBUG: Started auxiliary module Browser
2017-05-09 15:16:10,296 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2017-05-09 15:16:10,875 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2017-05-09 15:16:10,875 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2017-05-09 15:16:10,890 [root] DEBUG: Started auxiliary module DigiSig
2017-05-09 15:16:10,890 [root] DEBUG: Started auxiliary module Disguise
2017-05-09 15:16:10,890 [root] DEBUG: Started auxiliary module Human
2017-05-09 15:16:10,890 [root] DEBUG: Started auxiliary module Screenshots
2017-05-09 15:16:10,890 [root] DEBUG: Started auxiliary module Usage
2017-05-09 15:16:11,375 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" with arguments ""C:\Users\Steve\AppData\Local\Temp\cibc2112457656545_2154.doc" /q" with pid 2084
2017-05-09 15:16:11,375 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:16:11,483 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2084
2017-05-09 15:16:13,483 [lib.api.process] INFO: Successfully resumed process with pid 2084
2017-05-09 15:16:13,483 [root] INFO: Added new process to list with pid: 2084
2017-05-09 15:16:13,983 [root] INFO: Cuckoomon successfully loaded in process with pid 2084.
2017-05-09 15:16:14,921 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:16,296 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Roaming\Microsoft\Templates\Normal.dotm
2017-05-09 15:16:16,405 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
2017-05-09 15:16:17,078 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE1F96E6-E064-498A-AA34-3E4052083925}.tmp
2017-05-09 15:16:17,437 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Temp\cibc2112457656545_2154.doc
2017-05-09 15:16:17,546 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Temp\~$bc2112457656545_2154.doc
2017-05-09 15:16:17,733 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Office\TCDiag\WDTCD.LOG
2017-05-09 15:16:19,592 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1D854C7D-1D7E-4F2D-8B66-A76D40EADA56}.tmp
2017-05-09 15:16:20,046 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Temp\VBE\MSForms.exd
2017-05-09 15:16:23,092 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Temp\~DF3AE947631C004FDB.TMP
2017-05-09 15:16:23,733 [root] INFO: Added new file to list with path: C:\Users\Steve\Application Data\Microsoft\Forms\WINWORD.box
2017-05-09 15:16:24,358 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2296
2017-05-09 15:16:24,358 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:16:24,390 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2296
2017-05-09 15:16:24,421 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:24,467 [root] INFO: Added new process to list with pid: 2296
2017-05-09 15:16:24,467 [root] INFO: Cuckoomon successfully loaded in process with pid 2296.
2017-05-09 15:16:24,578 [root] INFO: Announced 32-bit process name: powershell.exe pid: 2376
2017-05-09 15:16:24,578 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:16:24,608 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2376
2017-05-09 15:16:24,703 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:24,750 [root] INFO: Added new process to list with pid: 2376
2017-05-09 15:16:24,750 [root] INFO: Cuckoomon successfully loaded in process with pid 2376.
2017-05-09 15:16:26,328 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9NEHT0O9EUPVTU9U9ASQ.temp
2017-05-09 15:16:32,937 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Temp\qp-v.bat
2017-05-09 15:16:33,030 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2520
2017-05-09 15:16:33,030 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:16:33,155 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2520
2017-05-09 15:16:33,187 [root] INFO: Notified of termination of process with pid 2376.
2017-05-09 15:16:33,265 [root] INFO: Notified of termination of process with pid 2296.
2017-05-09 15:16:33,280 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:33,328 [root] INFO: Added new process to list with pid: 2520
2017-05-09 15:16:33,328 [root] INFO: Cuckoomon successfully loaded in process with pid 2520.
2017-05-09 15:16:33,375 [root] INFO: Announced 32-bit process name: powershell.exe pid: 2624
2017-05-09 15:16:33,375 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:16:33,421 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2624
2017-05-09 15:16:33,530 [root] INFO: Process with pid 2296 has terminated
2017-05-09 15:16:34,530 [root] INFO: Process with pid 2376 has terminated
2017-05-09 15:16:35,640 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:35,687 [root] INFO: Added new process to list with pid: 2624
2017-05-09 15:16:35,687 [root] INFO: Cuckoomon successfully loaded in process with pid 2624.
2017-05-09 15:16:36,733 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\48O5RAUGH8FRLA5UJ8GE.temp
2017-05-09 15:16:42,342 [modules.auxiliary.human] INFO: Closing Office window.
2017-05-09 15:16:42,921 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Roaming\Microsoft\Office\VB12.pip
2017-05-09 15:16:43,015 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Temp\qakyvhhgvn1.exE
2017-05-09 15:16:43,280 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Roaming\Microsoft\Office\Word12.pip
2017-05-09 15:16:44,078 [root] INFO: Notified of termination of process with pid 2084.
2017-05-09 15:16:44,578 [root] INFO: Process with pid 2084 has terminated
2017-05-09 15:16:47,062 [root] INFO: Announced 32-bit process name: qakyvhhgvn1.exE pid: 2820
2017-05-09 15:16:47,062 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:16:47,125 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2820
2017-05-09 15:16:47,171 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:47,217 [root] INFO: Notified of termination of process with pid 2624.
2017-05-09 15:16:47,217 [root] INFO: Added new process to list with pid: 2820
2017-05-09 15:16:47,217 [root] INFO: Cuckoomon successfully loaded in process with pid 2820.
2017-05-09 15:16:47,296 [root] INFO: Notified of termination of process with pid 2520.
2017-05-09 15:16:47,592 [root] INFO: Process with pid 2520 has terminated
2017-05-09 15:16:48,421 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Roaming\winapp\pajxuggfum0.exE
2017-05-09 15:16:48,592 [root] INFO: Process with pid 2624 has terminated
2017-05-09 15:16:53,453 [root] INFO: Announced 32-bit process name: pajxuggfum0.exE pid: 2940
2017-05-09 15:16:53,453 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:16:53,515 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2940
2017-05-09 15:16:53,515 [root] INFO: Notified of termination of process with pid 2820.
2017-05-09 15:16:53,546 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:53,578 [root] INFO: Added new process to list with pid: 2940
2017-05-09 15:16:53,592 [root] INFO: Process with pid 2820 has terminated
2017-05-09 15:16:53,578 [root] INFO: Cuckoomon successfully loaded in process with pid 2940.
2017-05-09 15:16:54,828 [root] INFO: Stopping Task Scheduler Service
2017-05-09 15:16:54,983 [root] INFO: Stopped Task Scheduler Service
2017-05-09 15:16:55,280 [root] INFO: Starting Task Scheduler Service
2017-05-09 15:16:56,015 [root] INFO: Started Task Scheduler Service
2017-05-09 15:16:56,030 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-05-09 15:16:56,108 [root] INFO: Disabling sleep skipping.
2017-05-09 15:16:56,171 [root] INFO: Added new process to list with pid: 820
2017-05-09 15:16:56,171 [root] INFO: Cuckoomon successfully loaded in process with pid 820.
2017-05-09 15:16:58,203 [root] INFO: Added new file to list with path: C:\Windows\System32\Tasks\services update
2017-05-09 15:17:00,967 [root] INFO: Notified of termination of process with pid 2940.
2017-05-09 15:17:01,608 [root] INFO: Process with pid 2940 has terminated
2017-05-09 15:17:07,203 [root] INFO: Stopping WMI Service
2017-05-09 15:17:07,796 [root] INFO: Added new file to list with path: C:\Windows\Temp\fwtsqmfile00.sqm
2017-05-09 15:17:35,108 [root] INFO: Announced starting service "SSDPSRV"
2017-05-09 15:17:35,125 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-05-09 15:17:35,203 [root] INFO: Disabling sleep skipping.
2017-05-09 15:17:35,233 [root] INFO: Added new process to list with pid: 436
2017-05-09 15:17:35,233 [root] INFO: Cuckoomon successfully loaded in process with pid 436.
2017-05-09 15:17:35,921 [root] INFO: Added new file to list with path: C:\Windows\WindowsUpdate.log
2017-05-09 15:17:36,217 [root] INFO: Announced 32-bit process name: svchost.exe pid: 3712
2017-05-09 15:17:36,217 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:17:36,280 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3712
2017-05-09 15:17:36,328 [root] INFO: Disabling sleep skipping.
2017-05-09 15:17:36,375 [root] INFO: Added new process to list with pid: 3712
2017-05-09 15:17:36,375 [root] INFO: Cuckoomon successfully loaded in process with pid 3712.
2017-05-09 15:17:36,828 [root] INFO: Announced 32-bit process name: sppsvc.exe pid: 3608
2017-05-09 15:17:36,828 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:17:36,890 [root] INFO: Announced 32-bit process name: svchost.exe pid: 1040
2017-05-09 15:17:36,890 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-05-09 15:17:36,905 [root] INFO: Disabling sleep skipping.
2017-05-09 15:17:37,000 [root] INFO: Added new process to list with pid: 3608
2017-05-09 15:17:37,000 [root] INFO: Disabling sleep skipping.
2017-05-09 15:17:37,000 [root] INFO: Cuckoomon successfully loaded in process with pid 3608.
2017-05-09 15:17:37,062 [root] INFO: Added new process to list with pid: 1040
2017-05-09 15:17:37,062 [root] INFO: Cuckoomon successfully loaded in process with pid 1040.
2017-05-09 15:17:40,921 [root] INFO: Announced 32-bit process name: explorer.exe pid: 1412
2017-05-09 15:17:41,015 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-05-09 15:17:41,217 [root] INFO: Disabling sleep skipping.
2017-05-09 15:17:41,280 [root] INFO: Added new process to list with pid: 1412
2017-05-09 15:17:41,280 [root] INFO: Cuckoomon successfully loaded in process with pid 1412.
2017-05-09 15:17:45,078 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
2017-05-09 15:17:45,125 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
2017-05-09 15:17:45,155 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
2017-05-09 15:17:45,171 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
2017-05-09 15:17:45,217 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
2017-05-09 15:17:45,375 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
2017-05-09 15:17:47,578 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log
2017-05-09 15:17:52,890 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
2017-05-09 15:17:55,296 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
2017-05-09 15:22:38,530 [root] INFO: Notified of termination of process with pid 3608.
2017-05-09 15:22:39,750 [root] INFO: Process with pid 3608 has terminated
2017-05-09 15:23:15,358 [root] INFO: Stopped WMI Service
2017-05-09 15:23:17,217 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-05-09 15:23:25,437 [root] INFO: Disabling sleep skipping.
2017-05-09 15:23:26,092 [root] INFO: Starting WMI Service
2017-05-09 15:23:27,671 [root] INFO: Added new process to list with pid: 572
2017-05-09 15:23:28,203 [root] INFO: Started WMI Service
2017-05-09 15:23:28,890 [root] INFO: Cuckoomon successfully loaded in process with pid 572.
2017-05-09 15:23:30,671 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-05-09 15:25:08,796 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk
doomedraven commented 6 years ago

that is the agent log, provide cuckoo log

DigiAngel commented 6 years ago

Thanks....a reboot of the box fixed it up so.... :)

doomedraven commented 6 years ago

Reboot can with everything heheh :)